Commit graph

125 commits

Author SHA1 Message Date
Jens L 23c69c456a
providers/proxy: add setting to intercept authorization header (#4457)
* add setting to intercept authorization header

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rename to intercept_header_auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-17 18:56:48 +01:00
Jens Langhammer 19ee98b36d
outposts/proxy: allow setting no-redirect via header or query param
closes #4455

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-17 10:56:43 +01:00
Jens Langhammer 9b2ceb0d44
outposts/proxy: make logged user more consistent, set FlushInterval
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 23:58:15 +01:00
Jens Langhammer 69d4719687
outposts/proxy: set http code when no redirect header is set
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 22:20:52 +01:00
Jens Langhammer d31e566873
outposts/proxy: add header to prevent redirects
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 22:18:25 +01:00
Jens Langhammer 0ddcefce80
outposts/proxy: cache basic and bearer credentials for one minute
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 22:12:48 +01:00
Jens Langhammer 4c45d35507
outposts/proxy: fix error handling, remove requirement for profile/etc scopes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 21:44:28 +01:00
Jens Langhammer 829e49275d
outposts/proxy: fix proxy's TokenIntrospection potentially not being set
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 20:54:34 +01:00
Jens L cd12e177ea
providers/proxy: add initial header token auth (#4421)
* initial implementation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* check for openid/profile claims

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include jwks sources in proxy provider

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add web ui for jwks

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only show sources with JWKS data configured

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix introspection tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start basic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add basic auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs, update admonitions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add client_id to api, add tab for auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00
Jens Langhammer b3da1d223c providers/proxy: correctly set id_token_hint if possible
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-12 19:02:37 +00:00
Jens L 55aa1897af
root: use single redis db (#4009)
* use single redis db

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup prefixes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* ensure __str__ always returns string

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix remaining old prefixes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-11-15 14:31:29 +01:00
Jens L d53733b6fc
outposts/proxy: reduce possibility for redirect loops, keep single state (#3831)
use single state, redirect when start url is hit with active session

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-10-20 21:27:34 +02:00
Jens L 49b6aabb02
outposts/proxy: fix redirect path when external host is a subdirectory (#3628)
fix redirect path when external host is a subdirectory

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-22 10:10:29 +02:00
Jens L 47daaf969a
outposts: fix oauth state when using signature routing (#3616)
* fix oauth state when using signature routing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more retires

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-19 21:38:34 +02:00
Jens Langhammer 220f123b29 internal: add more tracing for states
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-07 09:53:10 +02:00
Jens Langhammer 8e7a456f74 providers/proxy: fix routing based on signature in traefik and caddy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-02 22:03:08 +02:00
Jens Langhammer 8ffae4505f internal: set Host on url in envoy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-18 23:20:12 +01:00
Jens Langhammer 0cc83c23c4 providers/proxy: fix duplicate proxy set default
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-18 21:13:45 +01:00
Jens Langhammer 514c48a986 internal: fix routing for requests with querystring signature to embedded outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-18 20:43:01 +02:00
Jens Langhammer 201bea6d30 internal: add X-authentik-logout signature to trigger logouts when URLs are not exposed
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-07 18:50:24 +02:00
Jens Langhammer fcf4657833 providers/proxy: add is_superuser to ak_proxy object, only show full error when superuser
closes #3314

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-30 20:29:23 +02:00
Jens L 393d7ec486
providers/proxy: no exposed urls (#3151)
* test any callback

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* dont detect callback in per-server handler

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use full redirect uri with both path and query param

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* correctly route to embedded outpost for callback signature

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix allowed redirects

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-30 17:51:01 +02:00
Jens L b41acebf5b
providers/proxy: add caddy endpoint (#3330)
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-29 10:58:53 +02:00
Jens Langhammer 10b48b27b0 internal: walk config in go, check, parse and load from scheme like in python
closes #2719

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-26 11:33:37 +02:00
Jens Langhammer 41eb44137e internal: remove pkg/errors 2022-07-05 20:26:33 +00:00
Jens Langhammer b6267fdf28 *: add versioned user agent to sentry
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-20 11:54:10 +02:00
Jens Langhammer 79bec6f6b2 providers/proxy: only send misconfiguration event once
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-16 10:32:34 +02:00
Jens Langhammer e30103aa9f providers/proxy: use same redirect-save code for all modes
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-04 23:25:47 +02:00
Jens L 8447e9b9c2
providers/proxy: envoy v2 (#3029)
* add path prefix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use prefix correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* only set redirect if session doesn't have a redirect yet

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-03 10:32:52 +02:00
Jens L f9a419107a
outposts/proxyv2: add basic envoy support (#3026)
* outposts/proxyv2: add basic envoy support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* don't crash when backend is not available

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add envoy tests and docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-03 00:06:09 +02:00
Jens L 3eb466ff4b
lifecycle: cleanup prometheus (#2972)
* remove high cardinality labels

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* retry worker number for prometheus multiprocess id

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* revert to pid, use subdirectories

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup more

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use worker id based off of https://github.com/benoitc/gunicorn/issues/1352

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix missing app label

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: remove static names

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-29 21:45:25 +02:00
Jens L a286f999e2
api: migrate to openapi generator v6 (#2968)
* migrate to openapi generator v6

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* bump api

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-26 15:15:30 +02:00
Jens Langhammer 646d174dd2 internal: revert cookie path on proxy causing redirect loops
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-21 16:26:12 +02:00
Jens Langhammer ebb44c992b Revert "internal: set SameSite for outpost"
This reverts commit 7e95c756b9.
2022-05-21 14:08:40 +02:00
Jens Langhammer 7e95c756b9 internal: set SameSite for outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-21 13:21:45 +02:00
Jens Langhammer be26b92927 internal: cleanup outpost logs
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-21 13:18:06 +02:00
Jens Langhammer a52638d898 internal: fix typo in session name constant
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-20 10:10:29 +02:00
Jens Langhammer 421b003218 internal: set path on cookie for proxy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2305
2022-05-11 10:08:38 +02:00
Jens Langhammer 76660e4666 internal: add tests with querystring
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-03-07 22:03:36 +01:00
Jens Langhammer 62a939b91d internal: bump api client to v3
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-03-03 10:40:07 +01:00
Jens Langhammer 6fdf3ad3e5 internal/outpost: improve logging and add tests
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2393
2022-02-26 22:29:56 +01:00
Jens Langhammer 744f250d05 providers/proxy: always set rd param in addition to session to prevent wrong url in session
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-02-18 10:32:22 +01:00
Jens Langhammer 19b1f3a8c1 internal/outpost: fix logic error
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-02-17 20:50:47 +01:00
Jens Langhammer 45f2c5bae7 web/admin: fix invalid URLs in example proxy config
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-02-15 23:24:27 +01:00
Jens Langhammer 5d8c1aa0b0 outposts/proxy: correctly check host in forward domain redirect
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
2022-02-15 14:58:19 +01:00
Jens Langhammer 0101368369 outposts/proxy: fix logic error in rd argument
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
2022-02-15 13:43:55 +01:00
Jens Langhammer 4854f81592 outposts/proxy: correctly handle ?rd= param
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
2022-02-15 11:05:03 +01:00
Jens Langhammer 908f123d0e website/docs: update nginx config
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-02-15 10:24:08 +01:00
Jens Langhammer 4915e980c5 providers/proxy: revert Host header behaviour
closes #2284

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-02-14 12:39:16 +01:00
Jens Langhammer 1f838bb2aa outposts/proxy: add X-Forwarded-Host since Host now gets changed by the proxy
closes #2284

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-02-10 23:09:55 +01:00